WinSecWiki > Security Settings > Account Policies > Lockout Policy

Windows Account Lockout Policy

Account lockout is a useful method for slowing down online password-guessing attacks as well as to compensate for weak password policies. These three policies work together to limit the number of consecutive, within a period of time, logon attempts that fail due to a bad password.

To strengthen account lockout policy, increase Account lockout duration, decrease Account lockout threshold and increase Reset account lockout counter after. Making these policies too strict though can lead to premature account lockouts and increased helpdesk support calls.

Policy Scope

All of the settings in this section apply either to domain accounts in Active Directory or local accounts on member servers. See the article "Account Policies Explained" at the upper level. Also see the article "Fine Grained Password and Lockout Policy".

Policies

Example policies

The following policy is too weak; it would only trigger lockouts for very brazen password guessing attacks.

Account lockout duration: 5 minutes
Account lockout threshold: 15 invalid logon attempts
Reset account lockout after: 5 minutes

The following policy will limit an attacker to 10 consecutive logon attempts during any 24 hour period and require an administrator to unlock the account:

Account lockout duration: 1440 minutes
Account lockout threshold: 10 invalid logon attempts
Reset account lockout after: 0 minutes

Troubleshooting

Administrators frequently struggle with repeated unexplained and seemingly spontaneous account lockouts for a given user account. This is frequently due to a workstation where a user account remains logged on after that account’s password been changed elsewhere. But there are many other possible reasons including stored credentials, programs that cache credentials, scheduled tasks, services, persistent track mappings, Active Directory replication problems and disconnected Terminal Services sessions.

Microsoft has produced a number of resources to help diagnose this problem.

Account Passwords and Policies in Windows Server 2003 – see sections on account lockout
Account Lockout and Management Tools
Account Lockout Best Practices White Paper

Remember that, for domain accounts, Active Directory enforces just one account lockout policy for all domain user accounts in the entire domain. This policy is defined in the Default Domain Policy GPO linked to the root of the command. See upper level for more information.

Child articles:

Upcoming Webinars

Additional Resources

Lockout Policy

•	Lockout duration
•	Lockout threshold
•	Reset lockout

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.